Users Pose the Greatest Security Risk

The latest data from CSO’s 2018
U.S. State of Cybercrime report highlights the risk users create, and how
little organizations are doing to address it.

This year’s report covers a wide
range of topics, providing a relatively comprehensive view on the state of both
cyberattacks, organizational preparedness, and incident response. I’ve pulled
out a number of stats that help to demonstrate the role users play in
increasing risk to the organization, what organizations are doing about it, and
how they can further make an impact on stopping cyberattacks.

Who is experiencing attacks (and how bad are they)?

A majority of organizations (59%)
have experienced at least one targeted attack during the past 12 months. And
targeted attacks are costly: 40% of security event-related financial
loss in the same past 12 months was caused by targeted attacks. This massive
financial loss is likely due to the fact that over a third of organizations (35%)
indicated it takes longer than a month to identify intrusions on their network,
giving attackers the time they need to wreak havoc on your data.

What kinds of attacks?

The CSO data confirms what we’re
already seeing across the industry:

28% of organizations experienced viruses, worms or
other malicious malware on-prem, 9% in the cloud

What’s missing from this survey is
the inclusion of cryptojacking, which has overtaken ransomware as the dominant
attack vector in many industries.

Who’s falling for attacks?

Users. That’s who. 42% of
organizations cited the “innocent employee” who unwittingly falls victim to a
phishing or hacker scam, or whose credentials were otherwise comprised as the
greatest threat.

What are organizations doing about it?

A supermajority (95%) of
organizations are using some form of Security Awareness Training at least
annually. But, according to the survey, only 15% of organizations are
creating a security culture with continual training and phishing testing.

Is Security Awareness Training working?

According to CSO, it’s a
resounding yes. Nearly two-thirds of organizations (66%) say that the
use of security awareness training has had a significant/reasonable impact on
reducing the number of successful phishing attacks at their organization.

Just think of how much more
impactful it would be if these same organizations used continual training and
testing to help establish an ever-present security mindset.

With users posing a significant
risk, and organizations thinking they’re doing all they can to make a positive
impact, it’s time to learn from the data: more Security Awareness Training will
have that much more an impact in stopping the “innocent user syndrome” that
plagues organizations today.

I strongly suggest you get a quote for security awareness training for your organization and find out how affordable this is. Take the first step now and email sales@gdrgroup.com to request a quote now and you will be pleasantly surprised.